[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using ldap to control access to other services



On 04/08/10 18:12 +0800, William Cai wrote:
Hi List,

I have been using LDAP for some time. The LDAP server is mainly used to
store user information. Today I heard that LDAP can be used to control
access to other services. More specific, "The way it works is that your (or
any other) app calls LDAP with like "I am user A, here is my ticket, so what
I can do?" and then LDAP responds: "User A has a type X and can access B, C
and D function, but can not access X, Y and Z function". So your app
realizes that "Type X can access today and tomorrow, but not day after
tomorrow" etc." I went through OpenLDAP document
http://www.openldap.org/doc/admin24/access-control.html. But seems it
focuses on how to control the access to LDAP server itself. Could anybody
show me how to implement this?

1. Do I need to model the business environment in LDAP? e.g. create a node
for each function point.
2. What is the programming model? Can I use Java interface to retrieve these
permission information?
3. Is it OpenLDAP specific function or LDAP common function?

Conceptually this is the role of AAA (authentication, authorization, and
accounting) within a network, which suggests RADIUS or TACACS+.

We've found FreeRADIUS with an OpenLDAP backend to work well in our
network, where we have a lot of Cisco gear and one-off devices which
support RADIUS. In our implementation, OpenLDAP acts as a database for
FreeRADIUS which provides the userPassword to FreeRADIUS for
authentication, and relevant radius* attributes to the calling device for
authorization.

--
Dan White